Morgan Stanley Insider Case Offers New Year Insider Reminders

The new year has started with a clear example of why it is so important to keep an eye out for insider threats. It came by way of news yesterday from investment firm Morgan Stanley that it fired a wealth advisor who accessed data on about 10% of its client roster and publicly posted details for 900 of them online.

"We are only five days into 2015, and already we are seeing insider breaches with the recent news at Morgan Stanley," says Eric Chiu, president and co-founder of HyTrust. "Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage."

In this case, the damage was minimal. The company was able to find and remove a Pastebin dump with the data and figure out how it was exposed before much injury was done. According to Dave Frymier, CISO for Unisys, the incident seems to have been handled quite well.

"As far as I can tell, it looks like Morgan Stanley has a pretty good handle on what happened here," Frymier says. "As long as they know what happened -- and it seems like they do -- there is no downside to it for them."

He believes the only lurking question is how a mid-level employee could have accessed hundreds of thousands of records.

"On the management path, there would only be very few -- and very trusted -- high-level managers with access to 350,000 records. At any company like Morgan Stanley with over 3 million clients, there is a wealth of data that can be mined from their customer database for their competitive advantage," he says. "However, mid-level financial advisors typically aren’t qualified (or allowed!) to do this sort of work. There are 'big data' gurus who do this sort of thing, and they are the only ones who should have access to the entire aggregation of data."

The incident should serve as good warning that organizations should be looking for ways "to detect toxic combinations of people, activities, and applications" that could put them at risk, says Matt Zanderigo, product marketing manager for ObserveIT. This includes IT users, everyday business users, and contractors who may be engaging in activities unusual for their role -- for example, an everyday business user making configuration changes.

"Each of these toxic combinations has one thing in common: They introduce substantial, unaddressed, user-based risk," says Zanderigo. "Security-conscious organizations must monitor user accounts to reduce the impact of this type of user-based risk."

Additionaly, dedicated incident response and forensic teams need to be at the ready to interpret those monitoring alerts when they pop up. As Scott Hazdra, a principal security consultant at Neohapsis, puts it, the Morgan Stanley incident appears to be amateurish compared to many other insider incidents.

"It appears the alleged perpetrator was not very sophisticated or adept at hiding his activities, where a more talented bad actor may have hidden his tracks much more effectively," says Hazdra, explaining that, regardless, incident response is crucial to finding the tracks, however well hidden they may be. "Security analysts in a security operations center that hunt for abnormal activity can often spot this type of data movement based on quantity, destination, or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio

With the prevailng industry view that breaches are going to happen, & the best defense is limit the exposure to your most sensitive and critical data,I'd say Morgan Stanley was both lucky and prepared. But the fact that the source of the breach was an employee "wealth manager" should be a serious wakeup call about the insider threat to all, not just the financial industry.

@Marilyn Cohodas - Good question, no doubt in my mind and we can only imagine what they would do with this data and how Morgan Stanley would react to it ? Would they use the Sony defense ? Where we argue it is every taxpayers problem or would they use the Chase Method and not say anything for months ?

Either way it is oddly fascinating to see the "Damage Control Psychology of the Breech" evolve as we speak.

Now if we can get someone to be accountable - we just might be getting somewhere.

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...